The personal information of Bank of America customers is at risk due to a data breach at one of its service providers, Infosys McCamish Systems (IMS), that occurred last year.
The security breach has resulted in the exposure of PII belonging to customers. This includes their names, addresses, social security numbers, dates of birth, as well as financial information such as account and credit card numbers. These details were shared with the Attorney General of Texas.
With a widespread presence of over 3,800 retail financial centers and approximately 15,000 ATMs across the United States, its territories, and more than 35 countries, Bank of America caters to an estimated 69 million clients.
A representative from Bank of America declined to provide further information when contacted by BleepingComputer, instead requesting that we reach out to Infosys McCamish for further clarification.
Although the exact number of affected customers has not been revealed by Bank of America, a breach notification letter submitted to the Attorney General of Maine on behalf of the bank disclosed that 57,028 individuals were directly impacted.
According to the data breach notification, on or around November 3, 2023, IMS experienced a cybersecurity incident involving an unauthorized third party gaining access to IMS systems. This resulted in the unavailability of certain IMS applications.
IMS notified Bank of America on November 24, 2023 that there is a potential for data breach in regards to the deferred compensation plans handled by Bank of America. However, Bank of America’s systems were not affected.
There is a slim chance that we will definitively ascertain which personal information was obtained due to the IMS event.
IMS has been hit with a ransomware attack, according to LockBit.
The November security breach, which was initially reported in a filing with the U.S. Securities and Exchange Commission, resulted in certain applications and systems being unavailable in IMS.
On November 4th, the IMS attack was claimed by the LockBit ransomware gang who reported encrypting over 2,000 systems during the breach.
